QwikSec

Security Database

CVE

CWE

Training

CVE-2021-21393

Published: Apr 12, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.

Vendor	Product	Versions
matrix-org	synapse	affected `< 1.28.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://pypi.org/project/matrix-synapse/

x_refsource_MISC

https://github.com/matrix-org/synapse/pull/9321

x_refsource_MISC

https://github.com/matrix-org/synapse/pull/9393

x_refsource_MISC

https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88

x_refsource_CONFIRM

FEDORA-2021-a627cfd31e

vendor-advisory

x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.